Death of antivirus software imminent

dan at geer.org dan at geer.org
Thu Jan 3 11:52:21 EST 2008 

 > however, another interpretation is that the defenders
 > have chosen extremely poor position to defend ... and are
 > therefor at enormous disadvantage. it may be necessary
 > to change the paradigm (and/or find the high ground)
 > in order to successfully defend.


First, it is evident that the malware writers have
reached a level of sophistication where stealth is
more attractive than persistence, i.e., prey are
sufficiently abundant that it does not matter if your
code survives reboot -- you can always get a new
machine soon enough.  Second, as soon as one of these
guys figures out how to hook the memory manager
(which may already have happened), then the ability
to find the otherwise in-core-only malware goes away
as your act of scanning memory will be seen by the
now-corrupted memory manager and the malware will be
thus relocated as you search such that you are
playing blindman's bluff without knowing that you
are.  Third, targetted malware does not defeat the AV
paradigm technically, rather it defeats the business
model as no AV company can afford to craft, test, and
distribute signatures for any malware that does not
already have, say, 50,000 victims.  Fourth, under
so-called Service-Oriented-Architecture, there is no
one anywhere who knows where all the moving parts
are.

The aspect of this that is directly relevant to this
list is that while "we" have labored to make network
comms safe in an unsafe transmission medium, the
world has now reached the point where the odds favor
the hypothesis that whomever you are talking to is
themselves already 0wned, i.e., it does not matter if
the comms are clean when the opponent already owns
your counterparty.

I blogged on this recently (guest for Ryan Naraine)
and it made the top of Slashdot.  Apologies for
boring those who've already seen it.

--dan

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list